[PATCH v2 0/5] Add support for SM3 secure hash

[PATCH v2 0/5] Add support for SM3 secure hash

[Heiko Schocher]

Add SM3 secure hash, as specified by OSCCA GM/T 0004-2012 SM3 and described
at https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3-02

TPMv2 defines hash algo sm3_256, which is currently
not supported and prevented TPMv2 chip with newer
firmware to work with U-Boot. Seen this on a ST33TPHF2XI2C

    u-boot=> tpm2 init
    u-boot=> tpm2 autostart
    tpm2_get_pcr_info: too many pcrs: 5
    Error: -90
    u-boot=>

Implement sm3 hash, so we can fix this problem.

Azure build:
https://dev.azure.com/hs0298/hs/_build/results?buildId=190&view=results

Changes in v2:
rebase to
6b27b688694: ("Merge branch 'master' of https://source.denx.de/u-boot/custodians/u-boot-sh")
add Ilias to Series-cc
add sm3_hash to header file, so we can use it.
add comments from Ilias
- use ARRAY_SIZE(hash_algo_list) instead of a fix number
  in tpm2_get_pcr_info() for the count of supported hashes
  in U-Boot.
- add SM3 hash in tpm_tcg2
Added Reviewed-by tag from Heinrich

Heiko Schocher (5):
  lib: Import rol32 function from Linux
  lib: implement sm3 256 hash
  test: cmd: hash: add unit test for sm3_256
  tpm2: add sm3 256 hash support
  test: cmd: fix a typo in md5 test

 MAINTAINERS            |   7 +
 boot/Kconfig           |   1 +
 cmd/Kconfig            |  15 ++
 cmd/Makefile           |   1 +
 cmd/sm3sum.c           |  48 +++++++
 cmd/tpm-v2.c           |   1 +
 common/hash.c          |  43 +++++-
 include/linux/bitops.h |  11 ++
 include/tpm-v2.h       |  12 ++
 include/u-boot/sm3.h   |  35 +++++
 lib/Kconfig            |   7 +
 lib/Makefile           |   1 +
 lib/sm3.c              | 313 +++++++++++++++++++++++++++++++++++++++++
 lib/tpm-v2.c           |   4 +-
 lib/tpm_tcg2.c         |   9 ++
 test/cmd/hash.c        |  48 ++++++-
 16 files changed, 552 insertions(+), 4 deletions(-)
 create mode 100644 cmd/sm3sum.c
 create mode 100644 include/u-boot/sm3.h
 create mode 100644 lib/sm3.c

-- 
2.20.1

base-commit: 9094482ca7576877b2bfaa57c8e73cfeb536f8b9

[PATCH v2 1/5] lib: Import rol32 function from Linux

[Heiko Schocher]

sm3 crypto algorithm uses rol32 function from linux, so
import it. Linux base was:

commit ca91b9500108:("Merge tag 'v6.15-rc4-ksmbd-server-fixes' of git://git.samba.org/ksmbd")

Signed-off-by: Heiko Schocher <hs@nabladev.com>
---

Changes in v2:
rebase to
6b27b688694: ("Merge branch 'master' of https://source.denx.de/u-boot/custodians/u-boot-sh")
add Ilias to Series-cc

 include/linux/bitops.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/linux/bitops.h b/include/linux/bitops.h
index f826d7f3b34..29e0da48de8 100644
--- a/include/linux/bitops.h
+++ b/include/linux/bitops.h
@@ -148,6 +148,17 @@ static inline unsigned long hweight_long(unsigned long w)
 	return sizeof(w) == 4 ? generic_hweight32(w) : generic_hweight64(w);
 }
 
+/**
+ * rol32 - rotate a 32-bit value left
+ * @word: value to rotate
+ * @shift: bits to roll
+ */
+
+static inline __u32 rol32(__u32 word, unsigned int shift)
+{
+	return (word << (shift & 31)) | (word >> ((-shift) & 31));
+}
+
 #include <asm/bitops.h>
 
 /* linux/include/asm-generic/bitops/non-atomic.h */
-- 
2.20.1

[PATCH v2 2/5] lib: implement sm3 256 hash

[Heiko Schocher]

Implement SM3_256 Hash algorithm, based on
linux commit f83a4f2a4d8c: ("Merge tag 'erofs-for-6.17-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs")

Signed-off-by: Heiko Schocher <hs@nabladev.com>
---
This patch drops a lot of checkpatch warnings, ignored them
as tried to stay as close as possible with linux code.

Changes in v2:
add sm3_hash to header file, so we can use it.

 MAINTAINERS          |   7 +
 boot/Kconfig         |   1 +
 cmd/Kconfig          |  15 +++
 cmd/Makefile         |   1 +
 cmd/sm3sum.c         |  48 +++++++
 common/hash.c        |  43 +++++-
 include/u-boot/sm3.h |  35 +++++
 lib/Kconfig          |   7 +
 lib/Makefile         |   1 +
 lib/sm3.c            | 313 +++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 470 insertions(+), 1 deletion(-)
 create mode 100644 cmd/sm3sum.c
 create mode 100644 include/u-boot/sm3.h
 create mode 100644 lib/sm3.c

diff --git a/MAINTAINERS b/MAINTAINERS
index 671903605d1..4c13e21e147 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1672,6 +1672,13 @@ F:	include/slre.h
 F:	lib/slre.c
 F:	test/lib/slre.c
 
+SM3
+M:	Heiko Schocher <hs@nabladev.com>
+S:	Maintained
+F:	cmd/sm3sum.c
+F:	include/u-boot/sm3.h
+F:	lib/sm3.c
+
 SMCCC TRNG
 M:	Etienne Carriere <etienne.carriere@linaro.org>
 S:	Maintained
diff --git a/boot/Kconfig b/boot/Kconfig
index 9adb051400f..6209c7ef712 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -1024,6 +1024,7 @@ config MEASURED_BOOT
 	select SHA256
 	select SHA384
 	select SHA512
+	select SM3
 	help
 	  This option enables measurement of the boot process when booting
 	  without UEFI . Measurement involves creating cryptographic hashes
diff --git a/cmd/Kconfig b/cmd/Kconfig
index 9929087a8bb..4ef6d2f7fe1 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -264,6 +264,21 @@ config CMD_SBI
 	help
 	  Display information about the SBI implementation.
 
+config CMD_SM3SUM
+	bool "sm3sum"
+	select SM3
+	select HASH
+	help
+	  Compute SM3 checksum.
+	  add SM3 hash functionality
+
+config SM3SUM_VERIFY
+	bool "sm3sum -v"
+	depends on CMD_SM3SUM
+	help
+	  Add for the sm3sum command the -v option
+	  to verify data against an SM3 checksum.
+
 config CMD_SMBIOS
 	bool "smbios"
 	depends on SMBIOS
diff --git a/cmd/Makefile b/cmd/Makefile
index 25479907797..642042cfe00 100644
--- a/cmd/Makefile
+++ b/cmd/Makefile
@@ -177,6 +177,7 @@ obj-$(CONFIG_CMD_SETEXPR) += setexpr.o
 obj-$(CONFIG_CMD_SETEXPR_FMT) += printf.o
 obj-$(CONFIG_CMD_SPI) += spi.o
 obj-$(CONFIG_CMD_STRINGS) += strings.o
+obj-$(CONFIG_CMD_SM3SUM) += sm3sum.o
 obj-$(CONFIG_CMD_SMBIOS) += smbios.o
 obj-$(CONFIG_CMD_SMC) += smccc.o
 obj-$(CONFIG_CMD_SYSBOOT) += sysboot.o
diff --git a/cmd/sm3sum.c b/cmd/sm3sum.c
new file mode 100644
index 00000000000..9044a322e22
--- /dev/null
+++ b/cmd/sm3sum.c
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * (C) Copyright 2025
+ * Heiko Schocher, Nabladev Software Engineering, hs@nabladev.com
+ *
+ * based on code from cmd/md5sum.c
+ */
+
+#include <command.h>
+#include <env.h>
+#include <hash.h>
+
+static int do_sm3sum(struct cmd_tbl *cmdtp, int flag, int argc,
+		     char *const argv[])
+{
+	int flags = HASH_FLAG_ENV;
+	int ac;
+	char *const *av;
+
+	if (argc < 3)
+		return CMD_RET_USAGE;
+
+	av = argv + 1;
+	ac = argc - 1;
+	if (IS_ENABLED(CONFIG_SM3SUM_VERIFY) && strcmp(*av, "-v") == 0) {
+		flags |= HASH_FLAG_VERIFY;
+		av++;
+		ac--;
+	}
+
+	return hash_command("sm3_256", flags, cmdtp, flag, ac, av);
+}
+
+#if IS_ENABLED(CONFIG_SM3SUM_VERIFY)
+U_BOOT_CMD(sm3sum, 5, 1, do_sm3sum,
+	   "compute SM3 message digest",
+	   "address count [[*]sum]\n"
+	   "  - compute SM3 message digest [save to sum]\n"
+	   "sm3sum -v address count [*]sum\n"
+	   "  - verify sm3sum of memory area"
+);
+#else
+U_BOOT_CMD(sm3sum, 4, 1, do_sm3sum,
+	   "compute SM3 message digest",
+	   "address count [[*]sum]\n"
+	   "  - compute SM3 message digest [save to sum]"
+);
+#endif /* IS_ENABLED(CONFIG_SM3SUM_VERIFY) */
diff --git a/common/hash.c b/common/hash.c
index 0c45992d5c7..1bf0a01681f 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -34,6 +34,7 @@
 #include <u-boot/sha256.h>
 #include <u-boot/sha512.h>
 #include <u-boot/md5.h>
+#include <u-boot/sm3.h>
 
 static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void **ctxp)
 {
@@ -143,6 +144,35 @@ static int __maybe_unused hash_finish_sha512(struct hash_algo *algo, void *ctx,
 	return 0;
 }
 
+static int __maybe_unused hash_init_sm3(struct hash_algo *algo, void **ctxp)
+{
+	struct sm3_context *ctx = malloc(sizeof(struct sm3_context));
+
+	sm3_init(ctx);
+	*ctxp = ctx;
+	return 0;
+}
+
+static int __maybe_unused hash_update_sm3(struct hash_algo *algo, void *ctx,
+					  const void *buf, uint size,
+					  int is_last)
+{
+	sm3_update((struct sm3_context *)ctx, buf, size);
+	return 0;
+}
+
+static int __maybe_unused hash_finish_sm3(struct hash_algo *algo, void *ctx,
+					  void *dest_buf, int size)
+{
+	if (size < algo->digest_size)
+		return -1;
+
+	sm3_final((struct sm3_context *)ctx, dest_buf);
+	free(ctx);
+	return 0;
+}
+
+
 static int __maybe_unused hash_init_crc16_ccitt(struct hash_algo *algo,
 						void **ctxp)
 {
@@ -298,6 +328,17 @@ static struct hash_algo hash_algo[] = {
 #endif
 	},
 #endif
+#if CONFIG_IS_ENABLED(SM3)
+	{
+		.name		= "sm3_256",
+		.digest_size	= SM3_DIGEST_SIZE,
+		.chunk_size	= SM3_BLOCK_SIZE,
+		.hash_func_ws	= sm3_csum_wd,
+		.hash_init	= hash_init_sm3,
+		.hash_update	= hash_update_sm3,
+		.hash_finish	= hash_finish_sm3,
+	},
+#endif
 #if CONFIG_IS_ENABLED(CRC16)
 	{
 		.name		= "crc16-ccitt",
@@ -334,7 +375,7 @@ static struct hash_algo hash_algo[] = {
 #if CONFIG_IS_ENABLED(SHA256) || IS_ENABLED(CONFIG_CMD_SHA1SUM) || \
 	CONFIG_IS_ENABLED(CRC32_VERIFY) || IS_ENABLED(CONFIG_CMD_HASH) || \
 	CONFIG_IS_ENABLED(SHA384) || CONFIG_IS_ENABLED(SHA512) || \
-	IS_ENABLED(CONFIG_CMD_MD5SUM)
+	IS_ENABLED(CONFIG_CMD_MD5SUM) || CONFIG_IS_ENABLED(SM3)
 #define multi_hash()	1
 #else
 #define multi_hash()	0
diff --git a/include/u-boot/sm3.h b/include/u-boot/sm3.h
new file mode 100644
index 00000000000..202017803af
--- /dev/null
+++ b/include/u-boot/sm3.h
@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#ifndef _SM3_H
+#define _SM3_H
+
+#define SM3_DIGEST_SIZE	32	/* 256 bits */
+#define SM3_BLOCK_SIZE	64	/* 512 bits */
+#define SM3_PAD_UNIT	56	/* 448 bits */
+
+#define SM3_T1		0x79CC4519
+#define SM3_T2		0x7A879D8A
+
+#define SM3_IVA		0x7380166f
+#define SM3_IVB		0x4914b2b9
+#define SM3_IVC		0x172442d7
+#define SM3_IVD		0xda8a0600
+#define SM3_IVE		0xa96f30bc
+#define SM3_IVF		0x163138aa
+#define SM3_IVG		0xe38dee4d
+#define SM3_IVH		0xb0fb0e4e
+
+struct sm3_context {
+	uint32_t state[SM3_DIGEST_SIZE / 4];
+	uint64_t count; /* Message length in bits */
+	uint8_t buffer[SM3_BLOCK_SIZE];
+	int buflen;
+};
+
+void sm3_init(struct sm3_context *sctx);
+void sm3_update(struct sm3_context *sctx, const uint8_t *input, size_t ilen);
+void sm3_final(struct sm3_context *sctx, uint8_t output[SM3_DIGEST_SIZE]);
+void sm3_hash(const uint8_t *input, size_t ilen, uint8_t output[SM3_DIGEST_SIZE]);
+
+void sm3_csum_wd(const unsigned char *input, uint32_t len,
+		 unsigned char *output, unsigned int chunk_sz);
+#endif
diff --git a/lib/Kconfig b/lib/Kconfig
index f5c1731f456..fdfe0bd5042 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -606,6 +606,13 @@ config SHA384
 	  The SHA384 algorithm produces a 384-bit (48-byte) hash value
 	  (digest).
 
+config SM3
+	bool "Enable SM3 support"
+	help
+	  This option enables support of hashing using
+	  SM3 (ShangMi 3) secure hash function (OSCCA GM/T 0004-2012, ISO/IEC 10118-3)
+	  The hash is calculated in software.
+
 config SHA_HW_ACCEL
 	bool "Enable hardware acceleration for SHA hash functions"
 	help
diff --git a/lib/Makefile b/lib/Makefile
index 07702cef7e7..70667f3728c 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -81,6 +81,7 @@ obj-$(CONFIG_$(PHASE_)SHA1_LEGACY) += sha1.o
 obj-$(CONFIG_$(PHASE_)SHA256) += sha256_common.o
 obj-$(CONFIG_$(PHASE_)SHA256_LEGACY) += sha256.o
 obj-$(CONFIG_$(PHASE_)SHA512_LEGACY) += sha512.o
+obj-$(CONFIG_$(PHASE_)SM3) += sm3.o
 
 obj-$(CONFIG_CRYPT_PW) += crypt/
 obj-$(CONFIG_$(PHASE_)ASN1_DECODER_LEGACY) += asn1_decoder.o
diff --git a/lib/sm3.c b/lib/sm3.c
new file mode 100644
index 00000000000..6b750b66772
--- /dev/null
+++ b/lib/sm3.c
@@ -0,0 +1,313 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * SM3_256 Hash Algorithm Implementation for U-Boot
+ * based on linux implementation:
+ *
+ * f83a4f2a4d8c
+ *  Merge tag 'erofs-for-6.17-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
+ *
+ * SM3 secure hash, as specified by OSCCA GM/T 0004-2012 SM3 and described
+ * at https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3-02
+ *
+ * Copyright (c) 2025 Heiko Schocher <hs@nabladev.com>
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <asm/unaligned.h>
+#include <linux/bitops.h>
+
+#include <u-boot/sm3.h>
+#ifndef USE_HOSTCC
+#include <u-boot/schedule.h>
+#endif
+
+static const u32 K[64] = {
+	0x79cc4519, 0xf3988a32, 0xe7311465, 0xce6228cb,
+	0x9cc45197, 0x3988a32f, 0x7311465e, 0xe6228cbc,
+	0xcc451979, 0x988a32f3, 0x311465e7, 0x6228cbce,
+	0xc451979c, 0x88a32f39, 0x11465e73, 0x228cbce6,
+	0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c,
+	0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce,
+	0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec,
+	0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5,
+	0x7a879d8a, 0xf50f3b14, 0xea1e7629, 0xd43cec53,
+	0xa879d8a7, 0x50f3b14f, 0xa1e7629e, 0x43cec53d,
+	0x879d8a7a, 0x0f3b14f5, 0x1e7629ea, 0x3cec53d4,
+	0x79d8a7a8, 0xf3b14f50, 0xe7629ea1, 0xcec53d43,
+	0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c,
+	0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce,
+	0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec,
+	0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5
+};
+
+/*
+ * Transform the message X which consists of 16 32-bit-words. See
+ * GM/T 004-2012 for details.
+ */
+#define R(i, a, b, c, d, e, f, g, h, t, w1, w2)			\
+	do {							\
+		ss1 = rol32((rol32((a), 12) + (e) + (t)), 7);	\
+		ss2 = ss1 ^ rol32((a), 12);			\
+		d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2));	\
+		h += GG ## i(e, f, g) + ss1 + (w1);		\
+		b = rol32((b), 9);				\
+		f = rol32((f), 19);				\
+		h = P0((h));					\
+	} while (0)
+
+#define R1(a, b, c, d, e, f, g, h, t, w1, w2) \
+	R(1, a, b, c, d, e, f, g, h, t, w1, w2)
+#define R2(a, b, c, d, e, f, g, h, t, w1, w2) \
+	R(2, a, b, c, d, e, f, g, h, t, w1, w2)
+
+#define FF1(x, y, z)  (x ^ y ^ z)
+#define FF2(x, y, z)  ((x & y) | (x & z) | (y & z))
+
+#define GG1(x, y, z)  FF1(x, y, z)
+#define GG2(x, y, z)  ((x & y) | (~x & z))
+
+/* Message expansion */
+#define P0(x) ((x) ^ rol32((x), 9) ^ rol32((x), 17))
+#define P1(x) ((x) ^ rol32((x), 15) ^ rol32((x), 23))
+#define I(i)  (W[i] = get_unaligned_be32(data + i * 4))
+#define W1(i) (W[i & 0x0f])
+#define W2(i) (W[i & 0x0f] =				\
+		P1(W[i & 0x0f]				\
+			^ W[(i-9) & 0x0f]		\
+			^ rol32(W[(i-3) & 0x0f], 15))	\
+		^ rol32(W[(i-13) & 0x0f], 7)		\
+		^ W[(i-6) & 0x0f])
+
+static void sm3_transform(struct sm3_context *sctx, u8 const *data, u32 W[16])
+{
+	u32 a, b, c, d, e, f, g, h, ss1, ss2;
+
+	a = sctx->state[0];
+	b = sctx->state[1];
+	c = sctx->state[2];
+	d = sctx->state[3];
+	e = sctx->state[4];
+	f = sctx->state[5];
+	g = sctx->state[6];
+	h = sctx->state[7];
+
+	R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4));
+	R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5));
+	R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6));
+	R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7));
+	R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8));
+	R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9));
+	R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10));
+	R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11));
+	R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12));
+	R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13));
+	R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14));
+	R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15));
+	R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16));
+	R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17));
+	R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18));
+	R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19));
+
+	R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20));
+	R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21));
+	R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22));
+	R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23));
+	R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24));
+	R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25));
+	R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26));
+	R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27));
+	R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28));
+	R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29));
+	R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30));
+	R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31));
+	R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32));
+	R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33));
+	R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34));
+	R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35));
+
+	R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36));
+	R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37));
+	R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38));
+	R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39));
+	R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40));
+	R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41));
+	R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42));
+	R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43));
+	R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44));
+	R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45));
+	R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46));
+	R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47));
+	R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48));
+	R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49));
+	R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50));
+	R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51));
+
+	R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52));
+	R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53));
+	R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54));
+	R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55));
+	R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56));
+	R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57));
+	R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58));
+	R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59));
+	R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60));
+	R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61));
+	R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62));
+	R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63));
+	R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64));
+	R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65));
+	R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66));
+	R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67));
+
+	sctx->state[0] ^= a;
+	sctx->state[1] ^= b;
+	sctx->state[2] ^= c;
+	sctx->state[3] ^= d;
+	sctx->state[4] ^= e;
+	sctx->state[5] ^= f;
+	sctx->state[6] ^= g;
+	sctx->state[7] ^= h;
+}
+#undef R
+#undef R1
+#undef R2
+#undef I
+#undef W1
+#undef W2
+
+void sm3_init(struct sm3_context *sctx)
+{
+	memset(sctx, 0, sizeof(struct sm3_context));
+
+	/* Load initial values */
+	sctx->state[0] = SM3_IVA;
+	sctx->state[1] = SM3_IVB;
+	sctx->state[2] = SM3_IVC;
+	sctx->state[3] = SM3_IVD;
+	sctx->state[4] = SM3_IVE;
+	sctx->state[5] = SM3_IVF;
+	sctx->state[6] = SM3_IVG;
+	sctx->state[7] = SM3_IVH;
+	sctx->count = 0;
+}
+
+static inline void sm3_block(struct sm3_context *sctx,
+		u8 const *data, int blocks, u32 W[16])
+{
+	while (blocks--) {
+		sm3_transform(sctx, data, W);
+		data += SM3_BLOCK_SIZE;
+	}
+}
+
+void sm3_update(struct sm3_context *sctx, const uint8_t *input, size_t ilen)
+{
+	unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
+	u32 W[16];
+
+	sctx->count += ilen;
+
+	if ((partial + ilen) >= SM3_BLOCK_SIZE) {
+		int blocks;
+
+		if (partial) {
+			int p = SM3_BLOCK_SIZE - partial;
+
+			memcpy(sctx->buffer + partial, input, p);
+			input += p;
+			ilen -= p;
+
+			sm3_block(sctx, sctx->buffer, 1, W);
+		}
+
+		blocks = ilen / SM3_BLOCK_SIZE;
+		ilen %= SM3_BLOCK_SIZE;
+
+		if (blocks) {
+			sm3_block(sctx, input, blocks, W);
+			input += blocks * SM3_BLOCK_SIZE;
+		}
+
+		memset(W, 0, sizeof(W));
+
+		partial = 0;
+	}
+	if (ilen)
+		memcpy(sctx->buffer + partial, input, ilen);
+}
+
+void sm3_final(struct sm3_context *sctx, uint8_t output[SM3_DIGEST_SIZE])
+{
+	const int bit_offset = SM3_BLOCK_SIZE - sizeof(u64);
+	__be64 *bits = (__be64 *)(sctx->buffer + bit_offset);
+	__be32 *digest = (__be32 *)&output[0];
+	unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
+	u32 W[16];
+	int i;
+
+	sctx->buffer[partial++] = 0x80;
+	if (partial > bit_offset) {
+		memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
+		partial = 0;
+
+		sm3_block(sctx, sctx->buffer, 1, W);
+	}
+
+	memset(sctx->buffer + partial, 0, bit_offset - partial);
+	*bits = cpu_to_be64(sctx->count << 3);
+	sm3_block(sctx, sctx->buffer, 1, W);
+
+	for (i = 0; i < 8; i++)
+		put_unaligned_be32(sctx->state[i], digest++);
+
+	/* Zeroize sensitive information. */
+	memset(W, 0, sizeof(W));
+	memset(sctx, 0, sizeof(*sctx));
+}
+
+
+/**
+ * sm3_hash - Calculate SM3 hash of input data
+ * @input: Input data
+ * @ilen: Input data length in bytes
+ * @output: Output buffer for hash (32 bytes)
+ */
+void sm3_hash(const uint8_t *input, size_t ilen, uint8_t output[SM3_DIGEST_SIZE])
+{
+	struct sm3_context sctx;
+
+	sm3_init(&sctx);
+	sm3_update(&sctx, input, ilen);
+	sm3_final(&sctx, output);
+}
+
+/**
+ * sm3_csum_wd - Calculate SM3 checksum on memory region using watchdog
+ * @addr: Starting address
+ * @len: Length in bytes
+ * @output: Output buffer for checksum (32 bytes)
+ * @flags: Flags for watchdog behavior
+ *
+ * This is the U-Boot API entry function for SM3 hash calculation
+ */
+void sm3_csum_wd(const unsigned char *input, uint32_t len,
+		 unsigned char *output, unsigned int chunk_sz)
+{
+	struct sm3_context ctx;
+	uint32_t chunk;
+
+	sm3_init(&ctx);
+
+	/* Process data in chunks, kicking watchdog between chunks */
+	while (len > 0) {
+		chunk = (len > chunk_sz) ? chunk_sz : len;
+		sm3_update(&ctx, input, chunk);
+		input += chunk;
+		len -= chunk;
+
+		schedule();
+	}
+	sm3_final(&ctx, output);
+}
-- 
2.20.1

[PATCH v2 3/5] test: cmd: hash: add unit test for sm3_256

[Heiko Schocher]

add simple test for sm3 256 hash

Signed-off-by: Heiko Schocher <hs@nabladev.com>
---
I wonder why this tests are under DM and not under CMD
Should we move them to CMD ?

Ignored checkpatch warnings for too long lines.

(no changes since v1)

 test/cmd/hash.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/test/cmd/hash.c b/test/cmd/hash.c
index bb96380c351..3f7f64d27d3 100644
--- a/test/cmd/hash.c
+++ b/test/cmd/hash.c
@@ -103,3 +103,49 @@ static int dm_test_cmd_hash_sha256(struct unit_test_state *uts)
 	return 0;
 }
 DM_TEST(dm_test_cmd_hash_sha256, UTF_CONSOLE);
+
+static int dm_test_cmd_hash_sm3_256(struct unit_test_state *uts)
+{
+	const char *sum = "1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b";
+
+	if (!CONFIG_IS_ENABLED(SM3)) {
+		ut_assert(run_command("hash sm3_256 $loadaddr 0", 0));
+
+		return 0;
+	}
+
+	ut_assertok(run_command("hash sm3_256 $loadaddr 0", 0));
+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
+	ut_asserteq_ptr(uts->actual_str,
+			strstr(uts->actual_str, "sm3_256 for "));
+	ut_assert(strstr(uts->actual_str, sum));
+	ut_assert_console_end();
+
+	ut_assertok(run_command("hash sm3_256 $loadaddr 0 foo; echo $foo", 0));
+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
+	ut_asserteq_ptr(uts->actual_str,
+			strstr(uts->actual_str, "sm3_256 for "));
+	ut_assert(strstr(uts->actual_str, sum));
+	ut_assertok(ut_check_console_line(uts, sum));
+
+	if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
+		ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
+		ut_assertok(ut_check_console_line(uts,
+						  "hash - compute hash message digest"));
+
+		return 0;
+	}
+
+	ut_assertok(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
+	ut_assert_console_end();
+
+	env_set("foo",
+		"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
+	ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
+	ut_assert(strstr(uts->actual_str, "!="));
+	ut_assert_console_end();
+
+	return 0;
+}
+DM_TEST(dm_test_cmd_hash_sm3_256, UTF_CONSOLE);
-- 
2.20.1

[PATCH v2 4/5] tpm2: add sm3 256 hash support

[Heiko Schocher]

add sm3 256 hash support, so TPM2 chips which report
5 pcrs with sm3 hash do not fail with:

  u-boot=> tpm2 autostart
  tpm2_get_pcr_info: too many pcrs: 5
  Error: -90

Signed-off-by: Heiko Schocher <hs@nabladev.com>

---

Changes in v2:
add comments from Ilias
- use ARRAY_SIZE(hash_algo_list) instead of a fix number
  in tpm2_get_pcr_info() for the count of supported hashes
  in U-Boot.
- add SM3 hash in tpm_tcg2

 cmd/tpm-v2.c     |  1 +
 include/tpm-v2.h | 12 ++++++++++++
 lib/tpm-v2.c     |  4 ++--
 lib/tpm_tcg2.c   |  9 +++++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index 346e21d27bb..847b2691581 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -589,6 +589,7 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
 "        * sha256\n"
 "        * sha384\n"
 "        * sha512\n"
+"        * sm3_256\n"
 "    <on|off> is one of:\n"
 "        * on  - Select all available PCRs associated with the specified\n"
 "                algorithm (bank)\n"
diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index f3eb2ef5643..a776d24d71f 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -345,6 +345,18 @@ static const struct digest_info hash_algo_list[] = {
 		false,
 #endif
 	},
+	{
+		"sm3_256",
+		TPM2_ALG_SM3_256,
+		TCG2_BOOT_HASH_ALG_SM3_256,
+		TPM2_SM3_256_DIGEST_SIZE,
+#if IS_ENABLED(CONFIG_SM3)
+		true,
+#else
+		false,
+#endif
+	},
+
 };
 
 /* NV index attributes */
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 5b21c57ae42..f443b738f82 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -686,10 +686,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs)
 
 	pcrs->count = get_unaligned_be32(response);
 	/*
-	 * We only support 4 algorithms for now so check against that
+	 * check against the supported algorithms in hash_algo_list,
 	 * instead of TPM2_NUM_PCR_BANKS
 	 */
-	if (pcrs->count > 4 || pcrs->count < 1) {
+	if (pcrs->count > ARRAY_SIZE(hash_algo_list) || pcrs->count < 1) {
 		printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
 		return -EMSGSIZE;
 	}
diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
index c314b401d0b..d41228f75a9 100644
--- a/lib/tpm_tcg2.c
+++ b/lib/tpm_tcg2.c
@@ -12,6 +12,7 @@
 #include <u-boot/sha1.h>
 #include <u-boot/sha256.h>
 #include <u-boot/sha512.h>
+#include <u-boot/sm3.h>
 #include <version_string.h>
 #include <asm/io.h>
 #include <linux/bitops.h>
@@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 *input, u32 length,
 			sha512_finish(&ctx_512, final);
 			len = TPM2_SHA512_DIGEST_SIZE;
 			break;
+#endif
+#if IS_ENABLED(CONFIG_SM3)
+		case TPM2_ALG_SM3_256:
+			sm3_hash(input, length, final);
+			len = TPM2_SM3_256_DIGEST_SIZE;
+			break;
 #endif
 		default:
 			printf("%s: unsupported algorithm %x\n", __func__,
@@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
 			case TPM2_ALG_SHA256:
 			case TPM2_ALG_SHA384:
 			case TPM2_ALG_SHA512:
+			case TPM2_ALG_SM3_256:
 				len = tpm2_algorithm_to_len(algo);
 				break;
 			default:
@@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
 		case TPM2_ALG_SHA256:
 		case TPM2_ALG_SHA384:
 		case TPM2_ALG_SHA512:
+		case TPM2_ALG_SM3_256:
 			len = get_unaligned_le16(&event->digest_sizes[i].digest_size);
 			if (tpm2_algorithm_to_len(algo) != len) {
 				log_err("EventLog invalid algorithm length\n");
-- 
2.20.1

[PATCH v2 5/5] test: cmd: fix a typo in md5 test

[Heiko Schocher]

In dm_test_cmd_hash_md5 accidentially sha256 hash
ist used. Use the correct md5 hash instead.

Signed-off-by: Heiko Schocher <hs@nabladev.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

---

Changes in v2:
Added Reviewed-by tag from Heinrich

 test/cmd/hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/cmd/hash.c b/test/cmd/hash.c
index 3f7f64d27d3..3a3869831ce 100644
--- a/test/cmd/hash.c
+++ b/test/cmd/hash.c
@@ -38,7 +38,7 @@ static int dm_test_cmd_hash_md5(struct unit_test_state *uts)
 					  "d41d8cd98f00b204e9800998ecf8427e"));
 
 	if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
-		ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
+		ut_assert(run_command("hash -v md5 $loadaddr 0 foo", 0));
 		ut_assertok(ut_check_console_line(
 				uts, "hash - compute hash message digest"));
 
-- 
2.20.1

Re: [PATCH v2 3/5] test: cmd: hash: add unit test for sm3_256

[Heinrich Schuchardt]

Am 11. November 2025 06:48:10 MEZ schrieb Heiko Schocher <hs@nabladev.com>:
>add simple test for sm3 256 hash
>
>Signed-off-by: Heiko Schocher <hs@nabladev.com>
>---
>I wonder why this tests are under DM and not under CMD
>Should we move them to CMD ?

We should use CMD_TEST() in the test/cmd/  directory.

Best regards 

Heinrich 

>
>Ignored checkpatch warnings for too long lines.
>
>(no changes since v1)
>
> test/cmd/hash.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 46 insertions(+)
>
>diff --git a/test/cmd/hash.c b/test/cmd/hash.c
>index bb96380c351..3f7f64d27d3 100644
>--- a/test/cmd/hash.c
>+++ b/test/cmd/hash.c
>@@ -103,3 +103,49 @@ static int dm_test_cmd_hash_sha256(struct unit_test_state *uts)
> 	return 0;
> }
> DM_TEST(dm_test_cmd_hash_sha256, UTF_CONSOLE);
>+
>+static int dm_test_cmd_hash_sm3_256(struct unit_test_state *uts)
>+{
>+	const char *sum = "1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b";
>+
>+	if (!CONFIG_IS_ENABLED(SM3)) {
>+		ut_assert(run_command("hash sm3_256 $loadaddr 0", 0));
>+
>+		return 0;
>+	}
>+
>+	ut_assertok(run_command("hash sm3_256 $loadaddr 0", 0));
>+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>+	ut_asserteq_ptr(uts->actual_str,
>+			strstr(uts->actual_str, "sm3_256 for "));
>+	ut_assert(strstr(uts->actual_str, sum));
>+	ut_assert_console_end();
>+
>+	ut_assertok(run_command("hash sm3_256 $loadaddr 0 foo; echo $foo", 0));
>+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>+	ut_asserteq_ptr(uts->actual_str,
>+			strstr(uts->actual_str, "sm3_256 for "));
>+	ut_assert(strstr(uts->actual_str, sum));
>+	ut_assertok(ut_check_console_line(uts, sum));
>+
>+	if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
>+		ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>+		ut_assertok(ut_check_console_line(uts,
>+						  "hash - compute hash message digest"));
>+
>+		return 0;
>+	}
>+
>+	ut_assertok(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>+	ut_assert_console_end();
>+
>+	env_set("foo",
>+		"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
>+	ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>+	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>+	ut_assert(strstr(uts->actual_str, "!="));
>+	ut_assert_console_end();
>+
>+	return 0;
>+}
>+DM_TEST(dm_test_cmd_hash_sm3_256, UTF_CONSOLE);

Re: [PATCH v2 5/5] test: cmd: fix a typo in md5 test

[Ilias Apalodimas]

On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <hs@nabladev.com> wrote:
>
> In dm_test_cmd_hash_md5 accidentially sha256 hash
> ist used. Use the correct md5 hash instead.
>
> Signed-off-by: Heiko Schocher <hs@nabladev.com>
> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

>
> ---
>
> Changes in v2:
> Added Reviewed-by tag from Heinrich
>
>  test/cmd/hash.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/test/cmd/hash.c b/test/cmd/hash.c
> index 3f7f64d27d3..3a3869831ce 100644
> --- a/test/cmd/hash.c
> +++ b/test/cmd/hash.c
> @@ -38,7 +38,7 @@ static int dm_test_cmd_hash_md5(struct unit_test_state *uts)
>                                           "d41d8cd98f00b204e9800998ecf8427e"));
>
>         if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
> -               ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
> +               ut_assert(run_command("hash -v md5 $loadaddr 0 foo", 0));
>                 ut_assertok(ut_check_console_line(
>                                 uts, "hash - compute hash message digest"));
>
> --
> 2.20.1
>

Re: [PATCH v2 1/5] lib: Import rol32 function from Linux

[Ilias Apalodimas]

On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <hs@nabladev.com> wrote:
>
> sm3 crypto algorithm uses rol32 function from linux, so
> import it. Linux base was:
>
> commit ca91b9500108:("Merge tag 'v6.15-rc4-ksmbd-server-fixes' of git://git.samba.org/ksmbd")
>
> Signed-off-by: Heiko Schocher <hs@nabladev.com>

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

> ---
>
> Changes in v2:
> rebase to
> 6b27b688694: ("Merge branch 'master' of https://source.denx.de/u-boot/custodians/u-boot-sh")
> add Ilias to Series-cc
>
>  include/linux/bitops.h | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>
> diff --git a/include/linux/bitops.h b/include/linux/bitops.h
> index f826d7f3b34..29e0da48de8 100644
> --- a/include/linux/bitops.h
> +++ b/include/linux/bitops.h
> @@ -148,6 +148,17 @@ static inline unsigned long hweight_long(unsigned long w)
>         return sizeof(w) == 4 ? generic_hweight32(w) : generic_hweight64(w);
>  }
>
> +/**
> + * rol32 - rotate a 32-bit value left
> + * @word: value to rotate
> + * @shift: bits to roll
> + */
> +
> +static inline __u32 rol32(__u32 word, unsigned int shift)
> +{
> +       return (word << (shift & 31)) | (word >> ((-shift) & 31));
> +}
> +
>  #include <asm/bitops.h>
>
>  /* linux/include/asm-generic/bitops/non-atomic.h */
> --
> 2.20.1
>

Re: [PATCH v2 4/5] tpm2: add sm3 256 hash support

[Ilias Apalodimas]

Hi Heiko,

This all looks reasonable.
There's one place I forgot to mention though.   tcg2_hash_pe_image()
also needs SM3 support.

The easier way to test that SM3 is working is boot your device and
look at the PCR measurements
- 'tpm2_pcrread' -- The SM3 bank should be != 0
- tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
should also include SM3

Thanks
/Ilias

On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <hs@nabladev.com> wrote:
>
> add sm3 256 hash support, so TPM2 chips which report
> 5 pcrs with sm3 hash do not fail with:
>
>   u-boot=> tpm2 autostart
>   tpm2_get_pcr_info: too many pcrs: 5
>   Error: -90
>
> Signed-off-by: Heiko Schocher <hs@nabladev.com>
>
> ---
>
> Changes in v2:
> add comments from Ilias
> - use ARRAY_SIZE(hash_algo_list) instead of a fix number
>   in tpm2_get_pcr_info() for the count of supported hashes
>   in U-Boot.
> - add SM3 hash in tpm_tcg2
>
>  cmd/tpm-v2.c     |  1 +
>  include/tpm-v2.h | 12 ++++++++++++
>  lib/tpm-v2.c     |  4 ++--
>  lib/tpm_tcg2.c   |  9 +++++++++
>  4 files changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
> index 346e21d27bb..847b2691581 100644
> --- a/cmd/tpm-v2.c
> +++ b/cmd/tpm-v2.c
> @@ -589,6 +589,7 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
>  "        * sha256\n"
>  "        * sha384\n"
>  "        * sha512\n"
> +"        * sm3_256\n"
>  "    <on|off> is one of:\n"
>  "        * on  - Select all available PCRs associated with the specified\n"
>  "                algorithm (bank)\n"
> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
> index f3eb2ef5643..a776d24d71f 100644
> --- a/include/tpm-v2.h
> +++ b/include/tpm-v2.h
> @@ -345,6 +345,18 @@ static const struct digest_info hash_algo_list[] = {
>                 false,
>  #endif
>         },
> +       {
> +               "sm3_256",
> +               TPM2_ALG_SM3_256,
> +               TCG2_BOOT_HASH_ALG_SM3_256,
> +               TPM2_SM3_256_DIGEST_SIZE,
> +#if IS_ENABLED(CONFIG_SM3)
> +               true,
> +#else
> +               false,
> +#endif
> +       },
> +
>  };
>
>  /* NV index attributes */
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index 5b21c57ae42..f443b738f82 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -686,10 +686,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs)
>
>         pcrs->count = get_unaligned_be32(response);
>         /*
> -        * We only support 4 algorithms for now so check against that
> +        * check against the supported algorithms in hash_algo_list,
>          * instead of TPM2_NUM_PCR_BANKS
>          */
> -       if (pcrs->count > 4 || pcrs->count < 1) {
> +       if (pcrs->count > ARRAY_SIZE(hash_algo_list) || pcrs->count < 1) {
>                 printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
>                 return -EMSGSIZE;
>         }
> diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
> index c314b401d0b..d41228f75a9 100644
> --- a/lib/tpm_tcg2.c
> +++ b/lib/tpm_tcg2.c
> @@ -12,6 +12,7 @@
>  #include <u-boot/sha1.h>
>  #include <u-boot/sha256.h>
>  #include <u-boot/sha512.h>
> +#include <u-boot/sm3.h>
>  #include <version_string.h>
>  #include <asm/io.h>
>  #include <linux/bitops.h>
> @@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 *input, u32 length,
>                         sha512_finish(&ctx_512, final);
>                         len = TPM2_SHA512_DIGEST_SIZE;
>                         break;
> +#endif
> +#if IS_ENABLED(CONFIG_SM3)
> +               case TPM2_ALG_SM3_256:
> +                       sm3_hash(input, length, final);
> +                       len = TPM2_SM3_256_DIGEST_SIZE;
> +                       break;
>  #endif
>                 default:
>                         printf("%s: unsupported algorithm %x\n", __func__,
> @@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
>                         case TPM2_ALG_SHA256:
>                         case TPM2_ALG_SHA384:
>                         case TPM2_ALG_SHA512:
> +                       case TPM2_ALG_SM3_256:
>                                 len = tpm2_algorithm_to_len(algo);
>                                 break;
>                         default:
> @@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
>                 case TPM2_ALG_SHA256:
>                 case TPM2_ALG_SHA384:
>                 case TPM2_ALG_SHA512:
> +               case TPM2_ALG_SM3_256:
>                         len = get_unaligned_le16(&event->digest_sizes[i].digest_size);
>                         if (tpm2_algorithm_to_len(algo) != len) {
>                                 log_err("EventLog invalid algorithm length\n");
> --
> 2.20.1
>

Re: [PATCH v2 4/5] tpm2: add sm3 256 hash support

[Ilias Apalodimas]

[...]

> > @@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 *input, u32 length,
> >                         sha512_finish(&ctx_512, final);
> >                         len = TPM2_SHA512_DIGEST_SIZE;
> >                         break;
> > +#endif
> > +#if IS_ENABLED(CONFIG_SM3)
> > +               case TPM2_ALG_SM3_256:
> > +                       sm3_hash(input, length, final);

I haven't looked at the sm3 implementation yet, but it doesn't have the usual
start
update
finish
?

Thanks
/Ilias
> > +                       len = TPM2_SM3_256_DIGEST_SIZE;
> > +                       break;
> >  #endif
> >                 default:
> >                         printf("%s: unsupported algorithm %x\n", __func__,
> > @@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
> >                         case TPM2_ALG_SHA256:
> >                         case TPM2_ALG_SHA384:
> >                         case TPM2_ALG_SHA512:
> > +                       case TPM2_ALG_SM3_256:
> >                                 len = tpm2_algorithm_to_len(algo);
> >                                 break;
> >                         default:
> > @@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
> >                 case TPM2_ALG_SHA256:
> >                 case TPM2_ALG_SHA384:
> >                 case TPM2_ALG_SHA512:
> > +               case TPM2_ALG_SM3_256:
> >                         len = get_unaligned_le16(&event->digest_sizes[i].digest_size);
> >                         if (tpm2_algorithm_to_len(algo) != len) {
> >                                 log_err("EventLog invalid algorithm length\n");
> > --
> > 2.20.1
> >

Re: [PATCH v2 2/5] lib: implement sm3 256 hash

[Ilias Apalodimas]

I think this would be easier to review/ack if you split the cmd
implementation from the actual hashing algo.

[...]

> +void sm3_init(struct sm3_context *sctx)
> +{
> +       memset(sctx, 0, sizeof(struct sm3_context));

I usually prefer sizeof(*sctx), but up to you

> +
> +       /* Load initial values */
> +       sctx->state[0] = SM3_IVA;
> +       sctx->state[1] = SM3_IVB;
> +       sctx->state[2] = SM3_IVC;
> +       sctx->state[3] = SM3_IVD;
> +       sctx->state[4] = SM3_IVE;
> +       sctx->state[5] = SM3_IVF;
> +       sctx->state[6] = SM3_IVG;
> +       sctx->state[7] = SM3_IVH;
> +       sctx->count = 0;
> +}
> +
> +static inline void sm3_block(struct sm3_context *sctx,
> +               u8 const *data, int blocks, u32 W[16])
> +{
> +       while (blocks--) {
> +               sm3_transform(sctx, data, W);
> +               data += SM3_BLOCK_SIZE;
> +       }
> +}
> +
> +void sm3_update(struct sm3_context *sctx, const uint8_t *input, size_t ilen)
> +{
> +       unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
> +       u32 W[16];
> +
> +       sctx->count += ilen;
> +
> +       if ((partial + ilen) >= SM3_BLOCK_SIZE) {
> +               int blocks;
> +
> +               if (partial) {
> +                       int p = SM3_BLOCK_SIZE - partial;
> +
> +                       memcpy(sctx->buffer + partial, input, p);
> +                       input += p;
> +                       ilen -= p;
> +
> +                       sm3_block(sctx, sctx->buffer, 1, W);
> +               }
> +
> +               blocks = ilen / SM3_BLOCK_SIZE;
> +               ilen %= SM3_BLOCK_SIZE;
> +
> +               if (blocks) {
> +                       sm3_block(sctx, input, blocks, W);
> +                       input += blocks * SM3_BLOCK_SIZE;
> +               }
> +
> +               memset(W, 0, sizeof(W));
> +
> +               partial = 0;
> +       }
> +       if (ilen)
> +               memcpy(sctx->buffer + partial, input, ilen);
> +}
> +
> +void sm3_final(struct sm3_context *sctx, uint8_t output[SM3_DIGEST_SIZE])

I think it's more readable to just define this as output[]
[...]

> +/**
> + * sm3_hash - Calculate SM3 hash of input data
> + * @input: Input data
> + * @ilen: Input data length in bytes
> + * @output: Output buffer for hash (32 bytes)
> + */
> +void sm3_hash(const uint8_t *input, size_t ilen, uint8_t output[SM3_DIGEST_SIZE])
> +{
> +       struct sm3_context sctx;
> +
> +       sm3_init(&sctx);
> +       sm3_update(&sctx, input, ilen);
> +       sm3_final(&sctx, output);

Ah ignore my comment on patch #4
init, update, final is wrapped in this function

[...]

Thanks
/Ilias

Re: [PATCH v2 3/5] test: cmd: hash: add unit test for sm3_256

[Heiko Schocher]

Hello Heinrich,

On 11.11.25 07:39, Heinrich Schuchardt wrote:
> Am 11. November 2025 06:48:10 MEZ schrieb Heiko Schocher <hs@nabladev.com>:
>> add simple test for sm3 256 hash
>>
>> Signed-off-by: Heiko Schocher <hs@nabladev.com>
>> ---
>> I wonder why this tests are under DM and not under CMD
>> Should we move them to CMD ?
> 
> We should use CMD_TEST() in the test/cmd/  directory.

I aggree... candidates would be:

$ grep -lr DM_TEST test/cmd
test/cmd/temperature.c
test/cmd/pwm.c
test/cmd/hash.c
test/cmd/pinmux.c
test/cmd/rw.c
test/cmd/armffa.c
test/cmd/loadm.c
test/cmd/i3c.c

but that change should be done in seperate series...

I can make such a series, if this one is acceppted?

Thanks!

bye,
Heiko

> 
> Best regards
> 
> Heinrich
> 
>>
>> Ignored checkpatch warnings for too long lines.
>>
>> (no changes since v1)
>>
>> test/cmd/hash.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 46 insertions(+)
>>
>> diff --git a/test/cmd/hash.c b/test/cmd/hash.c
>> index bb96380c351..3f7f64d27d3 100644
>> --- a/test/cmd/hash.c
>> +++ b/test/cmd/hash.c
>> @@ -103,3 +103,49 @@ static int dm_test_cmd_hash_sha256(struct unit_test_state *uts)
>> 	return 0;
>> }
>> DM_TEST(dm_test_cmd_hash_sha256, UTF_CONSOLE);
>> +
>> +static int dm_test_cmd_hash_sm3_256(struct unit_test_state *uts)
>> +{
>> +	const char *sum = "1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b";
>> +
>> +	if (!CONFIG_IS_ENABLED(SM3)) {
>> +		ut_assert(run_command("hash sm3_256 $loadaddr 0", 0));
>> +
>> +		return 0;
>> +	}
>> +
>> +	ut_assertok(run_command("hash sm3_256 $loadaddr 0", 0));
>> +	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>> +	ut_asserteq_ptr(uts->actual_str,
>> +			strstr(uts->actual_str, "sm3_256 for "));
>> +	ut_assert(strstr(uts->actual_str, sum));
>> +	ut_assert_console_end();
>> +
>> +	ut_assertok(run_command("hash sm3_256 $loadaddr 0 foo; echo $foo", 0));
>> +	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>> +	ut_asserteq_ptr(uts->actual_str,
>> +			strstr(uts->actual_str, "sm3_256 for "));
>> +	ut_assert(strstr(uts->actual_str, sum));
>> +	ut_assertok(ut_check_console_line(uts, sum));
>> +
>> +	if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
>> +		ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>> +		ut_assertok(ut_check_console_line(uts,
>> +						  "hash - compute hash message digest"));
>> +
>> +		return 0;
>> +	}
>> +
>> +	ut_assertok(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>> +	ut_assert_console_end();
>> +
>> +	env_set("foo",
>> +		"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
>> +	ut_assert(run_command("hash -v sm3_256 $loadaddr 0 foo", 0));
>> +	console_record_readline(uts->actual_str, sizeof(uts->actual_str));
>> +	ut_assert(strstr(uts->actual_str, "!="));
>> +	ut_assert_console_end();
>> +
>> +	return 0;
>> +}
>> +DM_TEST(dm_test_cmd_hash_sm3_256, UTF_CONSOLE);
> 

-- 
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic

Re: [PATCH v2 4/5] tpm2: add sm3 256 hash support

[Heiko Schocher]

Hello Ilias,

On 11.11.25 10:34, Ilias Apalodimas wrote:
> Hi Heiko,
> 
> This all looks reasonable.
> There's one place I forgot to mention though.   tcg2_hash_pe_image()
> also needs SM3 support.

I take a look!

> The easier way to test that SM3 is working is boot your device and
> look at the PCR measurements
> - 'tpm2_pcrread' -- The SM3 bank should be != 0
> - tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
> should also include SM3

I give it a try ...

Thanks!

bye,
Heiko
> 
> Thanks
> /Ilias
> 
> On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <hs@nabladev.com> wrote:
>>
>> add sm3 256 hash support, so TPM2 chips which report
>> 5 pcrs with sm3 hash do not fail with:
>>
>>    u-boot=> tpm2 autostart
>>    tpm2_get_pcr_info: too many pcrs: 5
>>    Error: -90
>>
>> Signed-off-by: Heiko Schocher <hs@nabladev.com>
>>
>> ---
>>
>> Changes in v2:
>> add comments from Ilias
>> - use ARRAY_SIZE(hash_algo_list) instead of a fix number
>>    in tpm2_get_pcr_info() for the count of supported hashes
>>    in U-Boot.
>> - add SM3 hash in tpm_tcg2
>>
>>   cmd/tpm-v2.c     |  1 +
>>   include/tpm-v2.h | 12 ++++++++++++
>>   lib/tpm-v2.c     |  4 ++--
>>   lib/tpm_tcg2.c   |  9 +++++++++
>>   4 files changed, 24 insertions(+), 2 deletions(-)
>>
>> diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
>> index 346e21d27bb..847b2691581 100644
>> --- a/cmd/tpm-v2.c
>> +++ b/cmd/tpm-v2.c
>> @@ -589,6 +589,7 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
>>   "        * sha256\n"
>>   "        * sha384\n"
>>   "        * sha512\n"
>> +"        * sm3_256\n"
>>   "    <on|off> is one of:\n"
>>   "        * on  - Select all available PCRs associated with the specified\n"
>>   "                algorithm (bank)\n"
>> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
>> index f3eb2ef5643..a776d24d71f 100644
>> --- a/include/tpm-v2.h
>> +++ b/include/tpm-v2.h
>> @@ -345,6 +345,18 @@ static const struct digest_info hash_algo_list[] = {
>>                  false,
>>   #endif
>>          },
>> +       {
>> +               "sm3_256",
>> +               TPM2_ALG_SM3_256,
>> +               TCG2_BOOT_HASH_ALG_SM3_256,
>> +               TPM2_SM3_256_DIGEST_SIZE,
>> +#if IS_ENABLED(CONFIG_SM3)
>> +               true,
>> +#else
>> +               false,
>> +#endif
>> +       },
>> +
>>   };
>>
>>   /* NV index attributes */
>> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
>> index 5b21c57ae42..f443b738f82 100644
>> --- a/lib/tpm-v2.c
>> +++ b/lib/tpm-v2.c
>> @@ -686,10 +686,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs)
>>
>>          pcrs->count = get_unaligned_be32(response);
>>          /*
>> -        * We only support 4 algorithms for now so check against that
>> +        * check against the supported algorithms in hash_algo_list,
>>           * instead of TPM2_NUM_PCR_BANKS
>>           */
>> -       if (pcrs->count > 4 || pcrs->count < 1) {
>> +       if (pcrs->count > ARRAY_SIZE(hash_algo_list) || pcrs->count < 1) {
>>                  printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
>>                  return -EMSGSIZE;
>>          }
>> diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
>> index c314b401d0b..d41228f75a9 100644
>> --- a/lib/tpm_tcg2.c
>> +++ b/lib/tpm_tcg2.c
>> @@ -12,6 +12,7 @@
>>   #include <u-boot/sha1.h>
>>   #include <u-boot/sha256.h>
>>   #include <u-boot/sha512.h>
>> +#include <u-boot/sm3.h>
>>   #include <version_string.h>
>>   #include <asm/io.h>
>>   #include <linux/bitops.h>
>> @@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 *input, u32 length,
>>                          sha512_finish(&ctx_512, final);
>>                          len = TPM2_SHA512_DIGEST_SIZE;
>>                          break;
>> +#endif
>> +#if IS_ENABLED(CONFIG_SM3)
>> +               case TPM2_ALG_SM3_256:
>> +                       sm3_hash(input, length, final);
>> +                       len = TPM2_SM3_256_DIGEST_SIZE;
>> +                       break;
>>   #endif
>>                  default:
>>                          printf("%s: unsupported algorithm %x\n", __func__,
>> @@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
>>                          case TPM2_ALG_SHA256:
>>                          case TPM2_ALG_SHA384:
>>                          case TPM2_ALG_SHA512:
>> +                       case TPM2_ALG_SM3_256:
>>                                  len = tpm2_algorithm_to_len(algo);
>>                                  break;
>>                          default:
>> @@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
>>                  case TPM2_ALG_SHA256:
>>                  case TPM2_ALG_SHA384:
>>                  case TPM2_ALG_SHA512:
>> +               case TPM2_ALG_SM3_256:
>>                          len = get_unaligned_le16(&event->digest_sizes[i].digest_size);
>>                          if (tpm2_algorithm_to_len(algo) != len) {
>>                                  log_err("EventLog invalid algorithm length\n");
>> --
>> 2.20.1
>>

-- 
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic

Re: [PATCH v2 2/5] lib: implement sm3 256 hash

[Heiko Schocher]

Hello Ilias,

On 11.11.25 10:47, Ilias Apalodimas wrote:
> I think this would be easier to review/ack if you split the cmd
> implementation from the actual hashing algo.

Okay, I will split it in v3 into 2 patches.

> 
> [...]
> 
>> +void sm3_init(struct sm3_context *sctx)
>> +{
>> +       memset(sctx, 0, sizeof(struct sm3_context));
> 
> I usually prefer sizeof(*sctx), but up to you

Hmm.. I have no preference here ... so I change it.

>> +
>> +       /* Load initial values */
>> +       sctx->state[0] = SM3_IVA;
>> +       sctx->state[1] = SM3_IVB;
>> +       sctx->state[2] = SM3_IVC;
>> +       sctx->state[3] = SM3_IVD;
>> +       sctx->state[4] = SM3_IVE;
>> +       sctx->state[5] = SM3_IVF;
>> +       sctx->state[6] = SM3_IVG;
>> +       sctx->state[7] = SM3_IVH;
>> +       sctx->count = 0;
>> +}
>> +
>> +static inline void sm3_block(struct sm3_context *sctx,
>> +               u8 const *data, int blocks, u32 W[16])
>> +{
>> +       while (blocks--) {
>> +               sm3_transform(sctx, data, W);
>> +               data += SM3_BLOCK_SIZE;
>> +       }
>> +}
>> +
>> +void sm3_update(struct sm3_context *sctx, const uint8_t *input, size_t ilen)
>> +{
>> +       unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
>> +       u32 W[16];
>> +
>> +       sctx->count += ilen;
>> +
>> +       if ((partial + ilen) >= SM3_BLOCK_SIZE) {
>> +               int blocks;
>> +
>> +               if (partial) {
>> +                       int p = SM3_BLOCK_SIZE - partial;
>> +
>> +                       memcpy(sctx->buffer + partial, input, p);
>> +                       input += p;
>> +                       ilen -= p;
>> +
>> +                       sm3_block(sctx, sctx->buffer, 1, W);
>> +               }
>> +
>> +               blocks = ilen / SM3_BLOCK_SIZE;
>> +               ilen %= SM3_BLOCK_SIZE;
>> +
>> +               if (blocks) {
>> +                       sm3_block(sctx, input, blocks, W);
>> +                       input += blocks * SM3_BLOCK_SIZE;
>> +               }
>> +
>> +               memset(W, 0, sizeof(W));
>> +
>> +               partial = 0;
>> +       }
>> +       if (ilen)
>> +               memcpy(sctx->buffer + partial, input, ilen);
>> +}
>> +
>> +void sm3_final(struct sm3_context *sctx, uint8_t output[SM3_DIGEST_SIZE])
> 
> I think it's more readable to just define this as output[]
> [...]

okay, I also change it in sm3_hash()

> 
>> +/**
>> + * sm3_hash - Calculate SM3 hash of input data
>> + * @input: Input data
>> + * @ilen: Input data length in bytes
>> + * @output: Output buffer for hash (32 bytes)
>> + */
>> +void sm3_hash(const uint8_t *input, size_t ilen, uint8_t output[SM3_DIGEST_SIZE])
>> +{
>> +       struct sm3_context sctx;
>> +
>> +       sm3_init(&sctx);
>> +       sm3_update(&sctx, input, ilen);
>> +       sm3_final(&sctx, output);
> 
> Ah ignore my comment on patch #4
> init, update, final is wrapped in this function

Yep, it saves in lib/tpm_tcg2.c tcg2_create_digest() another ifdef
in the variable declaration part.

bye,
Heiko
> 
> [...]
> 
> Thanks
> /Ilias
> 

-- 
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic